GDPR fines and penalties are starting to be assessed against organizations other than big tech companies. European regulators are stepping up their enforcement action significantly, as can be seen with a recent fine of €525,000 by the Dutch data protection authority against the Royal Dutch Lawn Tennis Association.
The Dutch data protection authority found the association unlawfully shared the personal information of its members with two sponsors. The data of more than 300,000 members was provided to one sponsor, while the other received information on 50,000. The association has appealed the fine, claiming the data sharing was based on legitimate interest under the GDPR. "Members were extensively informed prior to the promotions and were able to easily unsubscribe," the association said in a statement.
Only time will tell if the appeal will be successful, however incurring significant legal fees for the appeal, as well as the unwanted bad publicity, are detrimental to the association's financial position. Organizations of all shapes and sizes should take note about the uptick in GDPR enforcement: if you're noncompliant, you may be next.